Table Of Contents
Command Summary
Command Summary
Commands by Feature
Command Summary
This appendix provides an abbreviated listing of the PIX Firewall command set. Refer to
Chapter 4, "Command Reference" for more information and examples on each command. Only unique variable information is defined for each command.
Parameters that appear frequently in commands are as follows:
• ip_address—The IP address of a host consisting of four sets of numbers called octets. An example is 192.168.42.1. Use 0.0.0.0 to indicate all hosts (0.0.0.0 can be abbrevated as 0).
IP addresses can be specified singly or in a range; for example, 10.0.01-10.0.0-254.
IP addresses consist of a network ID and the host ID:
•For a Class A IP address, which ranges from 0.0.0.0 to 127.255.255.255, the network address is in the first octet and the host ID is in the last three. This permits over a million hosts to be represented by a single Class A IP address.
•For a Class B address, which ranges from 128.0.0.0 to 191.255.255.255, the network address is in the first two octets and the host ID is in the last two. This permits 65,536 hosts to be represented by a single Class B IP address.
•For a Class C address, which ranges from 192.0.0.0 to 223.255.255.255, the network address is in the first three octets and the host ID is in the last octet. This permits 256 hosts to be represented by a single Class C IP address.
•netmask—The network mask associated with ip_address. If ip_address is a network address (the host ID has a zero in each octet), then the network mask determines which hosts in the network are accessible. If the IP address is 0.0.0.0, use the same value for the network mask. To specify a range of hosts, specify the maximum host number in the host ID. For example, in a Class C address, if you want hosts 1through 167 to be accessible, the subnet mask would be 255.255.255.167.
•inside—Applies to the inside network interface that connects the firewall to the local network. This interface handles outbound connections.
•outside—Applies to the outside network interface that connects the firewall to the Internet side of the network. This interface handles inbound connections.
•port—Connection port for a service. You can specify a numeric value or the following reserve words: ftp, h323, http, rpc, and telnet. 0 means match any port. The port values are defined in RFC 1700. If an invalid port range is specified, such as 32-25, the command fails, but an error message is not returned. Reserve words can be used in a range; such as, ftp-telnet.
Command Summary
Note Of the commands that follow, the majority are only available in configuration mode. The exceptions are the unprivileged show, enable, quit, and who commands, and the privileged configure, disable, http, kill, passwd, ping, radius-server, reload, tacacs-server, telnet, and write commands.
aaa authentication service inbound|outbound ip_address netmask tacacs+|radius
service
|
The service to be authenticated. Use any, ftp, http, or telnet.
|
aaa authorization service inside | outside ip_address netmask
service
|
The service to be authenticated. Use any, ftp, http, or telnet.
|
age minutes
minutes
|
Duration in minutes that a Private Link key is used to encrypt information on the connection. The maximum duration is 130,000,000 minutes (247 years).
|
alias inside_net outside_net [netmask]
inside_net
|
IP address on the inside network that is an alias for the outside_net address. This is a NIC-registered IP address assigned to a network on the inside of the firewall. Use a network address to create a net alias.
|
outside_net
|
IP address on the outside network. This is a NIC-registered address assigned to a site on the Internet. Use a network address to create a net alias.
|
apply number outgoing_src|outgoing_dest
number
|
An outbound access list identification number previously created with the outbound command.
|
outgoing_src
|
Applies the access list to the source address(es) of packets received on the inside interface. This allows security policies regarding access to outside services from specific inside systems to be implemented. For example, specify outgoing_src if you want to prevent an inside system using the web.
|
outgoing_dest
|
Applies the access list to the destination address(es) of packets received on the inside interface. This allows security policies regarding access to specific outside services and systems from the inside network to be implemented. For example, specify outgoing_dest to prevent inside systems from accessing a specific web site.
|
arp inside|outside ip_address mac_address [alias]
mac_address
|
Hardware MAC address for the ARP table entry.
|
alias
|
Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration.
|
arp timeout seconds
seconds
|
Duration that an ARP entry can exist in the ARP table before being cleared.
|
auth inside|outside *Obsolete*
auth-server type server_ip[-server_ip] skey *Obsolete*
type
|
Authentication type: radius or tacacs+.
|
server_ip
|
The IP address of the authentication server.
|
skey
|
An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts. This is a public key between the client and server for encrypting data between them. The skey value must be the same on both the client and server systems.
|
auth-user inside|outside type host_ip netmask *Obsolete*
type
|
Authentication type: radius or tacacs+.
|
host_ip
|
The IP address from which or to which access is authenticated.
|
clear [command]
The clear commands are:
clear apply
clear arp [inside|outside ip_address]
clear http ip_address [netmask]
clear lnkopath
clear mailhost
clear names
clear outbound num [permit|deny ip_address netmask port]
clear radius-server [address key]
clear route inside|outside
clear snmp-server contact|location|host value
clear static
clear syslog console
clear syslog host ip_address
clear syslog output facility.level
clear tacacs-server [address key]
clear telnet ip_address netmask
clear uauth
conduit global_ip port[-port] udp|tcp ip_address [netmask]
global_ip
|
Registered IP address. Use a network address when mapping a net static.
|
udp
|
Add conduit for incoming UDP connections.
|
tcp
|
Add conduit for incoming TCP connections.
|
configure floppy
configure memory
configure terminal
disable
enable
enable password password
password
|
A password of up to 16 alphanumeric characters, which is not case sensitive. PIX Firewall converts the password to all lowercase.
|
established udp| tcp
udp
|
Allow return UDP connections.
|
tcp
|
Allow return TCP connections.
|
failover [active]
active
|
Make a PIX Firewall the active unit. Use this command when you need to force control of the connection back to the unit you are accessing, such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the primary unit. Either enter no failover active on the secondary unit to switch service to the primary or failover active on the primary unit.
|
global global_id ip_address
global_id
|
You can specify up to 256 unique ID values. The valid ID numbers can be any positive number up to 2,147,483,647. If there is a single network on the inside of the PIX Firewall, the global_id has no meaning and you use 1.
|
ip_address
|
One or more IP addresses that the PIX Firewall shares among its connections. NOTE: If you specify a single IP address, port address translation occurs on that address.
|
groom
help
hostname newname
newname
|
New host name for the PIX Firewall prompt. This name can be up to 17 alphanumeric characters and is not case sensitive. PIX Firewall converts the host name to all lowercase.
|
http ip_address netmask
interface ethernet inside|outside 10baseT|100baseTX|auto|aui|bnc
10baseT
|
Sets 10 Mbit Ethernet and half duplex communications.
|
100baseTX
|
Sets 100 Mbit Ethernet and half duplex communications.
|
auto
|
Automatically determines networking speed and sets full duplex communications.
|
aui
|
Sets 10 Mbit Ethernet half duplex communications for an AUI cable interface.
|
bnc
|
Sets 10 Mbit Ethernet half duplex communications for a BNC cable interface.
|
interface token inside|outside [4mbps|16mbps]
4mbps
|
4 megabytes per second data transfer speed. Can be abbreviated as 4.
|
16mbps
|
(default) 16 megabytes per second data transfer speed. Can be abbreviated as 16.
|
ip address inside|outside ip_address [netmask]
kill telnet_id
telnet_id
|
Telnet session ID. Use show who to display Telnet session IDs.
|
link remote_ip_address key-id key
remote_ip_address
|
IP address of a PIX Firewall running Private Link.
|
key-id
|
The key number. Version 4 PIX Firewall supports up to seven Private Link encryption keys. The key_id value can be from 1 to 7.
|
key
|
The 56-bit key (up to 14 hexadecimal digits) used to seed the encryption chip. This key must be the same on each host end of an encrypted link. The key consists of hexadecimal numbers; for example, fadebac7733669. Select a unique key that is difficult to guess and do not use those shown in this document.
|
linkpath dest_net netmask remote_ip
dest_net
|
The IP address of the destination network on the inside interface of the remote PIX Firewall of a Private Link.
|
netmask
|
Specifies a subnet mask to apply to dest_net.
|
remote_ip
|
IP address of the remote PIX Firewall's outside network interface.
|
lnko remote_global key
remote_global
|
IP address from the global address pool.
|
key
|
The encryption key. Version 2 PIX Firewall supports one Private Link encryption key. The encryption key can be up to 56 bits in length (14 hexadecimal digits); for example, fadebacbaabaaa.
|
lnkopath dest_net netmask remote_global
dest_net
|
The IP address of the destination network on the inside interface of the remote PIX Firewall of a Private Link.
|
netmask
|
Specifies a subnet mask to apply to dest_net.
|
remote_global
|
IP address in the global pool of the remote PIX Firewall in a Private Link environment.
|
mailhost global_ip local_ip [max_conns] [em_limit]
global_ip
|
A registered IP address.
|
local_ip
|
The local IP address from the inside network.
|
max_conns
|
The maximum mail connections permitted. Set this value to less than or equal to your connection license. Use show actkey to view the maximum number of connections for your firewall.
|
em_limit
|
The embryonic mail connection limit. The default is 0, which means unlimited connections. The maximum is 65535 and the minimum is 1. A rule of thumb for the limit is the maximum number of connections on your connection license plus 30%; for example, on a 64-session license, set it to at least 40. Set it lower for slower systems, higher for faster systems.
|
mtu inside|outside bytes
inside
|
Specify outbound MTU value.
|
outside
|
Specify inbound MTU value.
|
bytes
|
The number of bytes in the MTU in the range of 64 to 65535 bytes.
|
name ip_address name
ip_address
|
The IP address of the host being named.
|
name
|
The name assigned to the IP address.
|
names
nat global_id ip_address [netmask] [max_conns] [em_limit]
global_id
|
Up to 256 global IDs previously specified with the global command. Specify 0 to indicate that no address translation be used with ip_address.
|
max_conns
|
The maximum mail connections permitted. Set this value to less than or equal to your connection license. Use show actkey to view the maximum number of connections for your firewall.
|
em_limit
|
The embryonic connection limit.
|
no [command]
The no commands are:
no aaa authentication service inbound|outbound address mask
no aaa authorization service inbound|outbound address mask
no alias inside_net
no apply num outgoing_src|outgoing_dest
no arp [inside|outside ip_address]
no conduit global_ip port tcp|udp ip_address netmask
no established udp|tcp
no failover [active]
no global global_id [ip_address]
no http ip_address netmask
no link remote_ip_address key-id key
no linkpath dest_net netmask remote_ip
no lnko remote_global key
no lnkopath dest_net netmask remote_global
no mailhost
no mtu inside|outside
no name ip_address [name]
no names
no nat global_id ip_address [netmask]
no outbound num permit|deny ip_address [netmask [port[-port]]]
no radius-server host ip_address key
no rip inside|outside default|passive
no route inside|outside dest_net_ip
no snmp-server contact|location text
no snmp-server host ip_address
no static global_ip
no syslog console
no syslog host ip_address
no syslog output facility.level
no tacacs-server host ip_address key
no telnet ip_address netmask
outbound num permit|deny ip_address [netmask [port[-port]]] [java]
num
|
A tag number for the access list.
|
permit
|
Allow the access list to access the specified IP address and port.
|
deny
|
Deny the access list access to the specified IP address and port.
|
java
|
Block Java applets being downloaded from ip_address depending on use of the apply command.
|
passwd password
password
|
A password of up to 15 alphanumeric characters, which is not case sensitive. PIX Firewall converts the password to all lowercase.
|
ping inside|outside ip_address
radius-server host server_ip key
server_ip
|
The IP address of the authentication server.
|
key
|
An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts. This is a public key between the client and server for encrypting data between them. The key must be the same on both the client and server systems. PIX Firewall changes to lowercase any letters in the key. Spaces are not permitted in the key, but other special characters are.
|
reload
rip inside|outside default|passive
default
|
Causes the PIX Firewall to broadcast a default route to the inside network.
|
passive
|
Enables passive RIP on either the inside or outside interface. The PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables.
|
route inside|outside dest_net_ip netmask gateway_ip [metric]
dest_net_ip
|
The destination network IP address. Use 0.0.0.0 to specify a default route.
|
netmask
|
Specifies a network mask to apply to dest_net_ip. Use 0.0.0.0 to specify a default route.
|
gateway_ip
|
Specifies the IP address of the gateway router (the next hop address for this route).
|
metric
|
Specifies the number of hops to dest_net_ip. If you are not sure, enter 1.
|
session comm_port
comm_port
|
Specifies the PIX Firewall communications port to which a router inside the firewall connects. Possible values are 0, 1, 2, or 3. The default is port 3.
|
show [command]
The show commands are:
show aaa
show actkey
show age
show alias
show apply [number outgoing_src|outgoing_dest]
show arp [inside|outside ip_address mac alias]
show arp timeout
show blocks
show conduit
show configure
show conn
show established
show failover
show global
show http
show hw
show interface
show ip
show link
show linkpath
show lnko
show lnkopath
show mailhost
show memory
show mtu
show names
show nat
show outbound
show passwd
show processes
show radius-server
show rip
show route
show session
show snmp-server
show static
show syslog
show telnet
show timeout
show uauth
show version
show who [ip_address]
show xlate [global_ip] [local_ip]
snmp-server contact|location text
snmp-server host ip_address
contact
|
Indicate that you are supplying your name or that of the PIX Firewall system administrator.
|
location
|
Indicate that you are specifying your PIX Firewall location.
|
host
|
Indicate that you are specifying an IP address of a host to which SNMP traps should be sent. You can specify a maximum of 5 host IP addresses.
|
text
|
When used with contact, specify your name or that of the PIX Firewall system administrator. When used with location, specify your PIX Firewall location. If the location name contains spaces, surround the string in single quotes; for example, 'building 42'.
|
ip_address
|
When used with host, the IP address of a host to which SNMP traps should be sent. You can specify a maximum of 5 host IP addresses.
|
static global_ip local_ip [max_conns] [em_limit]
global_ip
|
The registered IP address. Use a network address to create a net static.
|
local_ip
|
The local IP address from the inside network. Use a network address to create a net static.
|
max_conns
|
The maximum number of TCP connections allowed for this static.
|
em_limit
|
The embryonic connection limit.
|
syslog console
syslog host host_ip
host_ip
|
The IP address or network of a host that is authorized to receive SYSLOG messages.
|
syslog output facility.level
facility
|
Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message.
|
level
|
Message type; sets the level above which PIX Firewall suppresses messages to the SYSLOG hosts. Setting the level to 3, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The levels are:
•0 — System unusable
•1 — Take immediate action
•2 — Critical condition
•3 — Error message
•4 — Warning message
•5 — Normal but significant condition
•6 — Informational
•7 — Debug message
|
tacacs-server host ip_address key
ip_address
|
The IP address of the authentication server.
|
key
|
An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts. This is a public key between the client and server for encrypting data between them. The key must be the same on both the client and server systems. PIX Firewall changes to lowercase any letters in the key. Spaces are not permitted in the key, but other special characters are.
|
telnet ip_address netmask
ip_address
|
The IP address or network of a host that is authorized to access the PIX Firewall Telnet management interface.
|
netmask
|
The netmask for the network specified in this Telnet command. Use any valid mask, or a network IP address to enable access to all in the subnet; for example if you set netmask to 255.255.255.0, all systems in the Class C subnet can access the firewall over Telnet. If you set netmask to 255.255.255.255, only the IP address you specify can access the firewall.
|
timeout [conn [hh:mm:ss]] [h323 [hh:mm:ss]] [rpc [hh:mm:ss]]
conn hh:mm:ss
|
Idle time until a connection slot is freed (default value is 12 hours). Use 0:0:0 for the time value to never time out a connection.
|
h323 hh:mm:ss
|
Duration for H323 (Internet Phone) inactivity timer. When this time elapses, the port used by the H323 service closes.
|
rpc hh:mm:ss
|
Idle time until an RPC slot is freed.
|
uauth hh:mm:ss
|
Duration before authentication and authorization cache times out and user has to reauthenticate next connection.
|
udp hh:mm:ss
|
Idle time until a UDP slot is freed.
|
xlate hh:mm:ss
|
Idle time until a translation slot is freed (default value is 24 hours).
|
[uauth [hh:mm:ss]] [udp [hh:mm:ss]] [xlate [hh:mm:ss]]
who [ip_address]
write erase
write floppy
write memory
write terminal
Commands by Feature
lists configuration commands by feature.
Table A-1 Commands by PIX Firewall Feature
Feature
|
Command
|
Access Mode
|
AAA (Authentication, Authorization, and Accounting)
|
aaa authentication
aaa authorization
radius-server
tacacs-server
|
Configuration
Configuration
Configuration
Configuration
|
ARP cache:
Adjust
Flush
|
arp
clear arp-cache
|
Configuration
Privileged
|
Configuration:
Read from floppy
Store on floppy
View current configuration in RAM
|
conf floppy
write floppy
write term
|
Privileged
Privileged
Privileged
|
Cut-Through Proxy
|
aaa authentication
aaa authorization
radius-server
tacacs-server
|
Configuration
Configuration
Configuration
Configuration
|
Ethernet, configure
|
interface ethernet 10baseT
|
Configuration
|
Failover (optional):
•Configure
•Force PIX Firewall to active
•Force PIX Firewall to standby
•Show status
|
failover
failover active
no failover active
show failover
|
Configuration
Configuration
Configuration
Unprivileged
|
Fast Ethernet, configure
|
interface ethernet auto
|
Configuration
|
Flash memory access:
•Clear
•Display configuration in flash memory
•Reload from
•Write to
|
groom
show configuration
reload
write memory
|
Privileged
Privileged
Privileged
Privileged
|
Floppy disk access:
•Read from
•Save configuration to
|
configure floppy
write floppy
|
Privileged
Privileged
|
IP address, set
|
ip address
|
Configuration
|
Java applet filtering
|
outbound deny ... java
|
Configuration
|
NAT (Name Address Translation)
|
alias, nat
|
Configuration
|
Private Link:
•Age links
•Configure
•V2 compatibility
|
age
link and linkpath
lnko and lnkopath
|
Configuration
Configuration
Configuration
|
Mail Guard
|
mailhost
|
Configuration
|
Multimedia
|
established
|
Configuration
|
Processes, show thread information
|
show processes
|
Unprivileged
|
Prompt host name, change
|
hostname
|
Configuration
|
RIP listening, enable or disable
|
rip
|
Configuration
|
Routing table:
•Adjust
•Show
|
route
show route
|
Configuration
Unprivileged
|
SNMP
|
snmp-server
|
Configuration
|
SYSLOG:
•Display messages as they occur
•Messages, display log
•Messages, change facility and level
•Server, assign
|
syslog console
show syslog
syslog output
syslog host
|
Configuration
Unprivileged
Configuration
Configuration
|
Token Ring interface, configure
|
interface token
|
Configuration
|